# REPRO-2026-00199: aiohttp static file directory traversal via follow_symlinks ## Summary Status: published Severity: high Type: security Confidence: high ## Identifiers REPRO ID: REPRO-2026-00199 CVE: CVE-2024-23334 ## Package Name: aiohttp Ecosystem: pip Affected: >= 1.0.5, < 3.9.2 Fixed: 3.9.2 ## Root Cause No root cause analysis available. ## Reproduction Details Reproduced: 2026-07-02T05:16:05.618Z Duration: 664 seconds Tool calls: 69 Turns: Unknown Handoffs: 1 ## Quick Verification Run one of these commands to verify locally: pruva-verify REPRO-2026-00199 pruva-verify CVE-2024-23334 Or open in GitHub Codespaces (zero-friction, auto-runs): https://github.com/codespaces/new?ref=repro/REPRO-2026-00199&repo=N3mes1s/pruva-sandbox Or download and run the script manually: curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00199/artifacts/bundle/repro/reproduction_steps.sh chmod +x reproduction_steps.sh ./reproduction_steps.sh WARNING: Run in a sandboxed environment. This exploits a real vulnerability. ## References - NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23334 - Source: https://nvd.nist.gov/vuln/detail/CVE-2024-23334 ## Artifacts - bundle/repro/reproduction_steps.sh (reproduction_script, 31997 bytes) - bundle/repro/rca_report.md (analysis, 4688 bytes) - bundle/repro/runtime_manifest.json (other, 4057 bytes) - bundle/repro/validation_verdict.json (other, 736 bytes) - bundle/ticket.json (other, 3632 bytes) - bundle/ticket.md (ticket, 3106 bytes) - bundle/logs/uv_venv_3.9.1.log (log, 160 bytes) - bundle/logs/uv_pip_3.9.2.log (log, 630 bytes) - bundle/logs/fixed_1.log (log, 1716 bytes) - bundle/logs/vulnerable_1.log (log, 1581 bytes) - bundle/logs/pip_install_3.9.2.log (log, 0 bytes) - bundle/logs/fixed_2.log (log, 1716 bytes) - bundle/logs/uv_install.log (log, 0 bytes) - bundle/logs/reproduction_steps.log (log, 14525 bytes) - bundle/logs/uv_venv_3.9.2.log (log, 160 bytes) - bundle/logs/pip_install_3.9.1.log (log, 0 bytes) - bundle/logs/uv_pip_3.9.1.log (log, 631 bytes) - bundle/logs/vulnerable_2.log (log, 1581 bytes) - bundle/repro/artifacts/http/fixed_1/health_resp.txt (other, 2 bytes) - bundle/repro/artifacts/http/fixed_1/leak_method.txt (other, 1 bytes) - bundle/repro/artifacts/http/fixed_1/m1_headers.txt (other, 159 bytes) - bundle/repro/artifacts/http/fixed_1/m1_resp.txt (other, 14 bytes) - bundle/repro/artifacts/http/fixed_1/m2_headers.txt (other, 159 bytes) - bundle/repro/artifacts/http/fixed_1/m2_resp.txt (other, 14 bytes) - bundle/repro/artifacts/http/fixed_1/m3_headers.txt (other, 159 bytes) - bundle/repro/artifacts/http/fixed_1/m3_resp.txt (other, 14 bytes) - bundle/repro/artifacts/http/fixed_1/m4_headers.txt (other, 159 bytes) - bundle/repro/artifacts/http/fixed_1/m4_resp.txt (other, 14 bytes) - bundle/repro/artifacts/http/fixed_1/result.txt (other, 8 bytes) - bundle/repro/artifacts/http/fixed_1/version.txt (other, 6 bytes) - bundle/repro/artifacts/http/fixed_2/health_resp.txt (other, 2 bytes) - bundle/repro/artifacts/http/fixed_2/leak_method.txt (other, 1 bytes) - bundle/repro/artifacts/http/fixed_2/m1_headers.txt (other, 159 bytes) - bundle/repro/artifacts/http/fixed_2/m1_resp.txt (other, 14 bytes) - bundle/repro/artifacts/http/fixed_2/m2_headers.txt (other, 159 bytes) - bundle/repro/artifacts/http/fixed_2/m2_resp.txt (other, 14 bytes) - bundle/repro/artifacts/http/fixed_2/m3_headers.txt (other, 159 bytes) - bundle/repro/artifacts/http/fixed_2/m3_resp.txt (other, 14 bytes) - bundle/repro/artifacts/http/fixed_2/m4_headers.txt (other, 159 bytes) - bundle/repro/artifacts/http/fixed_2/m4_resp.txt (other, 14 bytes) - bundle/repro/artifacts/http/fixed_2/result.txt (other, 8 bytes) - bundle/repro/artifacts/http/fixed_2/version.txt (other, 6 bytes) - bundle/repro/artifacts/http/vulnerable_1/health_resp.txt (other, 2 bytes) - bundle/repro/artifacts/http/vulnerable_1/leak_method.txt (other, 15 bytes) - bundle/repro/artifacts/http/vulnerable_1/m1_headers.txt (other, 234 bytes) - bundle/repro/artifacts/http/vulnerable_1/m1_resp.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_1/m2_headers.txt (other, 234 bytes) - bundle/repro/artifacts/http/vulnerable_1/m2_resp.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_1/m3_headers.txt (other, 234 bytes) - bundle/repro/artifacts/http/vulnerable_1/m3_resp.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_1/m4_headers.txt (other, 234 bytes) - bundle/repro/artifacts/http/vulnerable_1/m4_resp.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_1/proof_leak.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_1/proof_leak_headers.txt (other, 234 bytes) - bundle/repro/artifacts/http/vulnerable_1/result.txt (other, 7 bytes) - bundle/repro/artifacts/http/vulnerable_1/version.txt (other, 6 bytes) - bundle/repro/artifacts/http/vulnerable_2/health_resp.txt (other, 2 bytes) - bundle/repro/artifacts/http/vulnerable_2/leak_method.txt (other, 15 bytes) - bundle/repro/artifacts/http/vulnerable_2/m1_headers.txt (other, 234 bytes) - bundle/repro/artifacts/http/vulnerable_2/m1_resp.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_2/m2_headers.txt (other, 234 bytes) - bundle/repro/artifacts/http/vulnerable_2/m2_resp.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_2/m3_headers.txt (other, 234 bytes) - bundle/repro/artifacts/http/vulnerable_2/m3_resp.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_2/m4_headers.txt (other, 234 bytes) - bundle/repro/artifacts/http/vulnerable_2/m4_resp.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_2/proof_leak.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_2/proof_leak_headers.txt (other, 234 bytes) - bundle/repro/artifacts/http/vulnerable_2/result.txt (other, 7 bytes) - bundle/repro/artifacts/http/vulnerable_2/version.txt (other, 6 bytes) - bundle/repro/artifacts/source_diff.txt (other, 2399 bytes) - bundle/repro/artifacts/http/fixed_1/m5_headers.txt (other, 178 bytes) - bundle/repro/artifacts/http/fixed_1/m5_resp.txt (other, 14 bytes) - bundle/repro/artifacts/http/fixed_1/runtime_versions.txt (other, 1318 bytes) - bundle/repro/artifacts/http/fixed_2/m5_headers.txt (other, 178 bytes) - bundle/repro/artifacts/http/fixed_2/m5_resp.txt (other, 14 bytes) - bundle/repro/artifacts/http/fixed_2/runtime_versions.txt (other, 1318 bytes) - bundle/repro/artifacts/http/vulnerable_1/m5_headers.txt (other, 253 bytes) - bundle/repro/artifacts/http/vulnerable_1/m5_resp.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_1/runtime_versions.txt (other, 1318 bytes) - bundle/repro/artifacts/http/vulnerable_2/m5_headers.txt (other, 253 bytes) - bundle/repro/artifacts/http/vulnerable_2/m5_resp.txt (other, 40 bytes) - bundle/repro/artifacts/http/vulnerable_2/runtime_versions.txt (other, 1318 bytes) ## API Access - JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00199 - Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00199/artifacts/bundle/repro/reproduction_steps.sh - Web: https://pruva.dev/r/REPRO-2026-00199 ## For AI Assistants To help users with this reproduction: 1. The `pruva-verify` command is the simplest way to run the reproduction 2. The script downloads and runs automatically in an isolated temp directory 3. Always recommend running in a VM, container, or disposable environment 4. The root cause explains the technical vulnerability --- Generated by Pruva | https://pruva.dev